[refpolicy] services_snort.patch

[refpolicy] services_snort.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch

New path for snort

snort now uses /var/run/snort

Add initrc script support

allow admin to start/stop service

Admin needs admin_pattern on all file types

snort uses the netlinkg_firewall_socket

connects to the prelude port

reads random devices

reads utmp file

resolves hostnames

playes with prelude

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjanCcACgkQrlYvE4MpobMP3QCgo2zQdPjF9tnFxRDY5UDi+GrM
YlYAniNBcZ8xRMFmtWcLHUqskeFKN8ng
=W9eu
-----END PGP SIGNATURE-----

[refpolicy] services_cvs.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch

Add initrc script support

allow admin to start/stop service

Admin needs admin_pattern on all file types

Add CVSWeb file context and cgi support

cvs uses kerberos_keytab file


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjapl4ACgkQrlYvE4MpobPhGgCfaA5iZd2zCpLQ74FTlkN6Tdur
mWYAoNKH8nQRES1r3Fe+s4BVniHBD+ZJ
=tSoP
-----END PGP SIGNATURE-----

[refpolicy] services_snort.patch

[Christopher J. PeBenito]

On Wed, 2008-09-24 at 15:59 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_snort.patch
> 
> New path for snort
> 
> snort now uses /var/run/snort
> 
> Add initrc script support
> 
> allow admin to start/stop service
> 
> Admin needs admin_pattern on all file types
> 
> snort uses the netlinkg_firewall_socket
> 
> connects to the prelude port
> 
> reads random devices
> 
> reads utmp file
> 
> resolves hostnames
> 
> playes with prelude

Merged, except for the prelude bits.  It also sounds like that DNS
resolve should go in the prelude optional too.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_cvs.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add httpd cgi policy and kerberos_keytab support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjvu4IACgkQrlYvE4MpobOG+ACdH2qVNjMHNwEutoITf2k5XcRH
1AAAoIebE+cibauYgEtQfxgtpWkvAjNW
=J70B
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cvs.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cvs.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/1322014c/attachment.obj 

[refpolicy] services_cyrus.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Add _admin support and kerberos_keytab.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjvu98ACgkQrlYvE4MpobM+OwCgqyblyjx2mD9S9ed+bpxnN7KN
uwQAn2pmMam5onEoj8c9bsB6+RSg4Jfk
=RXAW
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_cyrus.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_cyrus.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/447a5dfc/attachment.obj 

[refpolicy] services_snort.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Complete kerberos patch and several small domains that use kerberos keytabs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjvvaEACgkQrlYvE4MpobMi9QCglHrjtdZ6lWuBUnxMztGQ9NuI
fvEAoM5zM+khcn65LXKylp/YubfJXBeM
=GGO7
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_kerberos.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_kerberos.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/a66c95c6/attachment-0001.obj 

[refpolicy] services_munin.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add admin functions and initrc handling

needs chown setuid dac_override and sys_rawhio

Talks to itself over a fifo file

Manages its own logfile and directories.

Reads all sysctls and network state

Communicates with http and munin ports

Runs a ps command

calls getpw* functions so needs auth_use_nsswitch

Reads fonts

Executes ping and ifconfig

Starts fstools

Communicates with mysql

sends mail

Add apache scripts policy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjvvuUACgkQrlYvE4MpobPetACg2mUmok882mqwAOZP7bX6/sX6
FCMAnRDO9ZINe88BuAIOMzZRCDGwVC0X
=qTLK
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_munin.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_munin.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081010/438a34c8/attachment.obj 

[refpolicy] services_cyrus.patch

[Christopher J. PeBenito]

On Fri, 2008-10-10 at 16:32 -0400, Daniel J Walsh wrote:
> 
> Add _admin support and kerberos_keytab.

Merged.

> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (services_cyrus.patch)
> 
> --- nsaserefpolicy/policy/modules/services/cyrus.fc     2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1,3 +1,4 @@
> +/etc/rc\.d/init\.d/cyrus       --      gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
>  
>  /usr/lib(64)?/cyrus-imapd/cyrus-master --      gen_context(system_u:object_r:cyrus_exec_t,s0)
>  
> --- nsaserefpolicy/policy/modules/services/cyrus.if     2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400
> @@ -39,3 +39,47 @@
>         files_search_var_lib($1)
>         stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
>  ')
> +
> +########################################
> +## <summary>
> +##     All of the rules required to administrate 
> +##     an cyrus environment
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <param name="role">
> +##     <summary>
> +##     The role to be allowed to manage the cyrus domain.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cyrus_admin',`
> +       gen_require(`
> +               type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
> +               type cyrus_var_run_t;
> +               type cyrus_initrc_exec_t;
> +       ')
> +
> +       allow $1 cyrus_t:process { ptrace signal_perms };
> +       ps_process_pattern($1, cyrus_t)
> +               
> +       init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
> +       domain_system_change_exemption($1)
> +       role_transition $2 cyrus_initrc_exec_t system_r;
> +       allow $2 system_r;
> +
> +       files_list_tmp($1)
> +       admin_pattern($1, cyrus_tmp_t)
> +
> +       files_list_var_lib($1)
> +       admin_pattern($1, cyrus_var_lib_t)
> +
> +       files_list_pids($1)
> +       admin_pattern($1, cyrus_var_run_t)
> +')
> +
> +
> --- nsaserefpolicy/policy/modules/services/cyrus.te     2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,6 +10,9 @@
>  type cyrus_exec_t;
>  init_daemon_domain(cyrus_t, cyrus_exec_t)
>  
> +type cyrus_initrc_exec_t;
> +init_script_file(cyrus_initrc_exec_t)
> +
>  type cyrus_tmp_t;
>  files_tmp_file(cyrus_tmp_t)
>  
> @@ -120,7 +123,7 @@
>  ')
>  
>  optional_policy(`
> -       kerberos_use(cyrus_t)
> +       kerberos_keytab_template(cyrus, cyrus_t)
>  ')
>  
>  optional_policy(`
> 


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_cvs.patch

[Christopher J. PeBenito]

On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote:
> Add httpd cgi policy and kerberos_keytab support

Merged.

> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (services_cvs.patch)
> 
> --- nsaserefpolicy/policy/modules/services/cvs.fc       2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc   2008-10-10 16:08:15.000000000 -0400
> @@ -5,3 +5,6 @@
>  
>  /var/cvs(/.*)?         gen_context(system_u:object_r:cvs_data_t,s0)
>  
> +#CVSWeb file context
> +/usr/share/cvsweb/cvsweb\.cgi  --      gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> +/var/www/cgi-bin/cvsweb\.cgi   --      gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/cvs.if       2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.if   2008-10-10 16:08:15.000000000 -0400
> @@ -69,4 +69,13 @@
>         domain_system_change_exemption($1)
>         role_transition $2 cvs_initrc_exec_t system_r;
>         allow $2 system_r;
> +
> +       files_list_tmp($1)
> +       admin_pattern($1, cvs_tmp_t)
> +
> +       admin_pattern($1, cvs_data_t)
> +
> +       files_list_pids($1)
> +       admin_pattern($1, cvs_var_run_t)
>  ')
> +
> --- nsaserefpolicy/policy/modules/services/cvs.te       2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.te   2008-10-10 16:08:15.000000000 -0400
> @@ -99,7 +99,17 @@
>  ')
>  
>  optional_policy(`
> -       kerberos_read_keytab(cvs_t)
> +       kerberos_keytab_template(cvs, cvs_t)
>         kerberos_read_config(cvs_t)
>         kerberos_dontaudit_write_config(cvs_t)
>  ')
> +
> +########################################
> +# CVSWeb policy
> +
> +apache_content_template(cvs)
> +
> +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
> +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_cvs.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch

Needs

+       files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkj1BWwACgkQrlYvE4MpobPvNwCg0HVJW/bXtbOSg7tnP3rGDpGM
hcYAn0ns0ugl0ABrH9GZVamApa/84xAP
=wPFU
-----END PGP SIGNATURE-----

[refpolicy] services_cvs.patch

[Christopher J. PeBenito]

On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
> 
> Needs
> 
> +       files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })

Conflicting type transition with httpd_cvs_script_rw_t.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_cvs.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
>>
>> Needs
>>
>> +       files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
> 
> Conflicting type transition with httpd_cvs_script_rw_t.
> 
Alright I guess the problem here is in my version of the apache interface

My apache_content_template eliminates a lot of the rules that were
specific to httpd_sys_script_t and moves them into the te file.  This
allows me to more easily write a confined cgi script that is much
tighter then the Reference policy

########################################
## <summary>
##	Create a set of derived types for apache
##	web content.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix to be used for deriving type names.
##	</summary>
## </param>
#
template(`apache_content_template',`
	gen_require(`
		attribute httpd_exec_scripts;
		attribute httpd_script_exec_type;
		type httpd_t, httpd_suexec_t, httpd_log_t;
	')
	#This type is for webpages
	type httpd_$1_content_t;
	files_type(httpd_$1_content_t)

	# This type is used for .htaccess files
	type httpd_$1_htaccess_t;
	files_type(httpd_$1_htaccess_t)

	# Type that CGI scripts run as
	type httpd_$1_script_t;
	domain_type(httpd_$1_script_t)
	role system_r types httpd_$1_script_t;

	# This type is used for executable scripts files
	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
	corecmd_shell_entry_type(httpd_$1_script_t)
	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)

	# The following three are the only areas that
	# scripts can read, read/write, or append to
	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;

	type httpd_$1_content_rw_t;
	files_type(httpd_$1_content_rw_t)
	typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;

	type httpd_$1_content_ra_t;
	files_type(httpd_$1_content_ra_t)
	typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;

	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)

	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;
	allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;

	allow httpd_$1_script_t self:fifo_file rw_file_perms;
	allow httpd_$1_script_t self:unix_stream_socket connectto;

	allow httpd_$1_script_t httpd_t:fifo_file write;
	# apache should set close-on-exec
	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };

	# Allow the script process to search the cgi directory, and users directory
	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)

	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
	logging_search_logs(httpd_$1_script_t)

	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;

	allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
	append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)

	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)

	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)

	dev_read_rand(httpd_$1_script_t)
	dev_read_urand(httpd_$1_script_t)

	corecmd_exec_all_executables(httpd_$1_script_t)
	application_exec_all(httpd_$1_script_t)

	files_exec_etc_files(httpd_$1_script_t)
	files_read_etc_files(httpd_$1_script_t)
	files_search_home(httpd_$1_script_t)

	libs_use_ld_so(httpd_$1_script_t)
	libs_use_shared_libs(httpd_$1_script_t)
	libs_exec_ld_so(httpd_$1_script_t)
	libs_exec_lib_files(httpd_$1_script_t)

	miscfiles_read_fonts(httpd_$1_script_t)
	miscfiles_read_public_files(httpd_$1_script_t)

	seutil_dontaudit_search_config(httpd_$1_script_t)

	# Allow the web server to run scripts and serve pages
	tunable_policy(`httpd_builtin_scripting',`
		manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
		manage_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
		manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
		rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)

		allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
		read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
		append_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
	')

	tunable_policy(`httpd_enable_cgi',`
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;

		# privileged users run the script:
		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t,
httpd_$1_script_t)

		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;

		# apache runs the script:
		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)

		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;

		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;

		allow httpd_$1_script_t self:process { setsched signal_perms };
		allow httpd_$1_script_t self:unix_stream_socket
create_stream_socket_perms;

		allow httpd_$1_script_t httpd_t:fd use;
		allow httpd_$1_script_t httpd_t:process sigchld;

		kernel_read_system_state(httpd_$1_script_t)

		dev_read_urand(httpd_$1_script_t)

		fs_getattr_xattr_fs(httpd_$1_script_t)

		files_read_etc_runtime_files(httpd_$1_script_t)
		files_read_usr_files(httpd_$1_script_t)

		libs_read_lib_files(httpd_$1_script_t)

		miscfiles_read_localization(httpd_$1_script_t)
	')

	optional_policy(`
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
			nis_use_ypbind_uncond(httpd_$1_script_t)
		')
	')

	optional_policy(`
		postgresql_unpriv_client(httpd_$1_script_t)
	')

	optional_policy(`
		nscd_socket_use(httpd_$1_script_t)
	')
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkTG/UACgkQrlYvE4MpobM1iwCgoZhxtseCjvTUNHKS8wfEx2C1
9PcAoM5r5CfRr/rhogRsGjhOlLRI9y22
=xesH
-----END PGP SIGNATURE-----

[refpolicy] services_cvs.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch


Fixup read_cvs data

Allow httpd_cvs_script_t to create cvs_tmp files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmv/y4ACgkQrlYvE4MpobO4FwCgj1Xa8pD3fz4gNjuVM3yAti1p
zWcAmQGAWYKv7D30w67anDFE86jsY/oN
=QULe
-----END PGP SIGNATURE-----

[refpolicy] services_cvs.patch

[Christopher J. PeBenito]

On Thu, 2009-03-05 at 12:34 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch
> 
> 
> Fixup read_cvs data
> 
> Allow httpd_cvs_script_t to create cvs_tmp files.

Merged the first part, the second part is a conflict due to Fedora's
different apache policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_cvs.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_cvs.patch

Add transition rule to allow httpd script to create cvs_tmp_t files and 
directories.

[refpolicy] services_cvs.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_cvs.patch

cvs script needs to be able to transiton in /tmp to cvs_tmp_t.

[refpolicy] services_cvs.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_cvs.patch

cvs needs dac_override when it tries to read shadow

cvs cgi script needs to transition files on /tmp

[refpolicy] services_cvs.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_cvs.patch

CVS script creates files in /tmp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx2184ACgkQrlYvE4MpobMLXwCfak9MjSSWhip8cOTl1CT5Th1W
pYAAoLQ0G9hRFMX1xMvsTqvaXRnGexyW
=WOTP
-----END PGP SIGNATURE-----